Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-07-08 Thread Jonathan Wiltshire
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.6) - use target stable

Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-07-08 Thread Jonathan Wiltshire
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.6) - use target stable

Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-02-11 Thread Jakub Wilk
* Henri Salo he...@nerv.fi, 2012-02-11, 14:11: $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/

Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-02-11 Thread Henri Salo
On Sat, Feb 11, 2012 at 01:25:18PM +0100, Jakub Wilk wrote: * Henri Salo he...@nerv.fi, 2012-02-11, 14:11: $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/

Bug#659379: [Secure-testing-team] Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-02-11 Thread Henri Salo
On Fri, Feb 10, 2012 at 05:09:13PM +0100, Jakub Wilk wrote: Package: uzbl Version: 0.0.0~git.20100403-3 Severity: grave Tags: security Justification: user security hole $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/

Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-02-11 Thread Luca BRUNO
forwarded 659379 http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1 thanks Henri Salo scrisse: This allows local users to steal cookies (and tamper with them). Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't

Processed: Re: Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-02-11 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org: forwarded 659379 http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1 Bug #659379 [uzbl] uzbl: world-readable (and writable!) cookie jar Set Bug forwarded-to-address to 'http://www.uzbl.org/bugs/index.php?do=detailstask_id

Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-02-11 Thread Jakub Wilk
* Luca BRUNO lu...@debian.org, 2012-02-11, 15:33: +try: + # make sure the cookie jar is not world-open + perm_mode = os.stat(self.filename).st_mode + if (perm_mode (stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) 0: + os.chmod(self.filename,

Bug#659379: uzbl: world-readable (and writable!) cookie jar

2012-02-10 Thread Jakub Wilk
Package: uzbl Version: 0.0.0~git.20100403-3 Severity: grave Tags: security Justification: user security hole $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/